In today's culture organizations have come to expect that information security incidents and breaches are no longer a matter of if but when. This shifting paradigm has brought increased attention, not to the defenses in place to prevent an incident but, to how companies manage the aftermath. Using a phenomenological model, organizations can reconstruct events focused on the human aspects of security with forensic technology providing supporting information. This can be achieved by conducting an after action review for incidents using a phenomenological model. Through this approach the researcher can discover the common incident management cycle attributes and how these attributes have been applied in the organization. An interview guide and six steps are presented to accomplish this type of review. By understanding what happened, how it happened, and why it happened during incident response, organizations can turn their moment of weakness into a pillar of strength.